Hi all!
It will good for me if you help me.
On a client side:
I have the following global section and have a winbind pam config:
[global]
workgroup = COMPANY
realm = COMPANY.RU
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template shell = /bin/bash
winbind refresh tickets = yes
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
# end of pam-auth-update config
After login to client I have a tgt for example:
Valid starting Expires Service principal
23.08.2014 23:00:53 24.08.2014 09:00:51 krbtgt/COMPANY.RU@COMPANY.RU
renew until 30.08.2014 23:00:53
23.08.2014 23:00:53 24.08.2014 09:00:51 GUSEVVS$@COMPANY.RU
renew until 30.08.2014 23:00:53
The first question is about: GUSEVVS$@COMPANY.RU - What about the ticket? $ - is strange symbol...
The second is about: Expiries... When I lock my PC (ubuntu), and unlock it again: I get a new tgt, but when my pc is ilde without lock screen more than 10 hours, I have expiried my tgt, and because of this I can't explore any kerberosed services.
I use samba 4.1.6 as domain member (ubuntu repos) and 4.1.9 as a server side software (sernet)
Does it work? I mean: winbind refresh tickets = yes value.
Thank for you effort to me!